CVE-2023-5868

Postgresql: memory disclosure in aggregate function calls

Published: 12/10/2023 Last updated: 3/12/2026 Reserved: 10/31/2023

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	4.3	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (37)

Product	Vendor	Version
RHACS-3.74-RHEL-8	Red Hat	< 10.0.22621.4751
Red Hat Advanced Cluster Security 4.2	Red Hat	< 6.3.9600.22676
RHACS-3.74-RHEL-8	Red Hat	< 10.0.26100.2894
Red Hat Advanced Cluster Security 4.2	Red Hat	< 10.0.22631.5189
Red Hat Advanced Cluster Security 4.2	Red Hat	< 10.0.22631.5189
RHACS-4.1-RHEL-8	Red Hat	< 10.0.26100.3476
RHACS-4.1-RHEL-8	Red Hat	< 6.0.6003.23168
Red Hat Advanced Cluster Security 4.2	Red Hat	< 10.0.26100.3775
RHACS-4.1-RHEL-8	Red Hat	< 10.0.14393.7876
Red Hat Advanced Cluster Security 4.2	Red Hat	< 10.0.14393.7969
Red Hat Enterprise Linux 6	Red Hat	< 16.0.5495.1002
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	< 10.0.14393.8246
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	< 10.0.17763.7558
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	< 10.0.26100.4652
Red Hat Enterprise Linux 8	Red Hat	< 10.0.26100.2894
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	< 10.0.14393.7699
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	< 6.3.9600.22725
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	< 10.0.20348.4052
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	< 145.0.7632.45
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 10.0.17763.7009
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	< 10.0.25398.1551
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	Red Hat	< 10.0.20348.3453
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	< 10.0.17763.7136
Red Hat Enterprise Linux 8	Red Hat	< 10.0.14393.8246
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	< 10.0.17763.7558
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	< 10.0.26100.3194
Red Hat Enterprise Linux 8	Red Hat	< 10.0.19045.5371
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	< 6.0.6003.23117
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	< 10.0.26100.3775
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	< 10.0.26100.3775
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	< 10.0.20348.3932
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	< 10.0.25398.1732
Red Hat Enterprise Linux 8	Red Hat	< 10.0.14393.7969
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 10.0.26100.4652
Red Hat Enterprise Linux 8	Red Hat	< 10.0.17763.7136
Red Hat Enterprise Linux 8	Red Hat	< 6.2.9200.25273
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	< 10.0.19045.6093

References (104)

Credits (2)

Upstream acknowledges Jingzhou Fu as the original reporter.
Upstream acknowledges Jingzhou Fu as the original reporter.